From: Jan Glauber <jan.glauber@de.ibm.com>
To: Valdis.Kletnieks@vt.edu
Cc: linux-crypto <linux-crypto@vger.kernel.org>,
linux-kernel@vger.kernel.org
Subject: Re: [RFC][PATCH] Pseudo-random number generator
Date: Tue, 05 Dec 2006 14:07:27 +0100 [thread overview]
Message-ID: <1165324047.6337.39.camel@bender> (raw)
In-Reply-To: <200612041615.kB4GF7lx031249@turing-police.cc.vt.edu>
On Mon, 2006-12-04 at 11:15 -0500, Valdis.Kletnieks@vt.edu wrote:
> On Fri, 01 Dec 2006 14:19:15 +0100, Jan Glauber said:
> > New s390 machines have hardware support for the generation of pseudo-random
> > numbers. This patch implements a simple char driver that exports this numbers
> > to user-space. Other possible implementations would have been:
>
> > + for (i = 0; i < 16; i++) {
> > + entropy[0] = get_clock();
> > + entropy[1] = get_clock();
> > + entropy[2] = get_clock();
> > + entropy[3] = get_clock();
>
> By the time this loop completes, we'll have done 64 get_clock() - and if an
> attacker has a good estimate of what the system clock has in it, they'll be
> able to guess all 64 values, since each pass through the loop will have fairly
> predictable timing. So as a result, the pseudo-random stream will be a *lot*
> less random than one would hope for...
I completely agree. Filling the input buffer with timestamps looks quite
uncomfortable but was exactly what the hardware specification suggested.
At least for the initialisation of the PRNG I preferred get_random_bytes()
over get_clock to get a good initial seed. But get_random_bytes cannot
be used during normal operation since the PRNG read should not block.
> > + /*
> > + * It shouldn't weaken the quality of the random numbers
> > + * passing the full 16 bytes from STCKE to the generator.
> > + */
>
> As long as you realize that probably 12 or 13 or even more of those 16 bytes
> are likely predictable (depending exactly how fast the hardware clock ticks),
> and as a result the output stream will also be predictable.
Yes, if an attacker knows the initial clock value a brute-force attack
would be feasible to predict the output. But I don't know if the
hardware completely relies on the clock values or if there is any
internal state which is not visible by an attacker. I will try to find
out more details...
Jan
next prev parent reply other threads:[~2006-12-05 13:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-01 13:19 [RFC][PATCH] Pseudo-random number generator Jan Glauber
2006-12-01 13:39 ` Alan
2006-12-01 15:20 ` Jan Glauber
2006-12-01 15:37 ` Alan
2006-12-04 16:15 ` Valdis.Kletnieks
2006-12-05 13:07 ` Jan Glauber [this message]
2007-01-16 14:07 ` Jan Glauber
2006-12-07 15:06 ` Arnd Bergmann
2006-12-07 15:19 ` Jan Glauber
2006-12-07 18:43 ` Arnd Bergmann
2006-12-08 11:42 ` Jan Glauber
[not found] <7ngD0-8fX-11@gated-at.bofh.it>
[not found] ` <7ngMA-8D-39@gated-at.bofh.it>
[not found] ` <7niv3-4sQ-21@gated-at.bofh.it>
[not found] ` <7niEE-4Mk-5@gated-at.bofh.it>
2006-12-01 17:33 ` Bodo Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1165324047.6337.39.camel@bender \
--to=jan.glauber@de.ibm.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.